• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-SASE-madness_021721
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

OpenDNS Sheds Light on Domain Shadowing

By Owen Lystrup
Posted on November 24, 2015
Updated on March 4, 2020

Share

Facebook0Tweet0LinkedIn0

In March this year the Talos Security group at Cisco coined a name for an attack that hackers have been using since 2011 at least. Domain Shadowing is when an attacker gains admin access to a legitimate domain, and uses that legitimate domain to register a large amount of shady subdomains, usually with an exploit kit. For instance, visapayment.opendns[.]com instead of opendns[.]com. It’s becoming more common because of how easy it is to run a domain shadowing attack, and how hard they are to detect.
Using a Stolen Reputation
“Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult,” Cisco threat researcher Nick Biasini explained in his blog post about Domain Shadowing. The worst part is owners of the legitimate domain are often not aware it is being used for Domain Shadowing.
OpenDNS Security Labs researchers have also been tracking the rising popularity of exploit kits, and responded with a new security models and features to detect them. One feature is an addition to OpenDNS’s threat intelligence search engine, Investigate. Called Pattern Search, the feature essentially adds regular expression and wildcard searching to the search engine, allowing for much more correlative results.
SPRank and Predictive Discovery

Pattern Search in action looking for DGAs.
Pattern Search in action looking for DGAs.

Currently most blocking and detection mechanisms for Domain Shadowing rely on some sort of domain reputation system that rates good versus bad domains. But reputation scores, according to Technical Leader Dhia Mahjoub, are not enough to catch most Domain Shadowing attacks. Mahjoub along with Security Researcher Thomas Mathew recently announced a new security model get around this issue.
“Compromised domains that have a great historical reputation will easily fool a reputation system,” Mahjoub wrote in a blog post.  Furthermore, cheap hosting makes it difficult to assign meaningful scores for IP reputation as new ranges appear having no historical context to provide it a score. SPRank avoids these issues by analyzing the DNS request patterns to a domain.” In other words, reputation scores, upon seeing a C Name like Amazon[.]com, will give a compromised subdomain a pass, since Amazon is a well-known and highly reputable site.
How to Further Protect Against Domain Shadowing
Aside from advanced security solutions like Investigate, the key to protecting against Domain Shadowing lies in protecting the credentials of your site’s registrant, and monitoring for changes on the domain’s registrant account. “It’s one thing that people just don’t do,” Craig Williams, security outreach manager for Cisco Talos, told ThreatPost in an interview. “No one logs back into their registrant account unless they are going to change something, or renew it.”
Two-factor authentication is probably the first, most effective precaution. Most domain registration companies, even the often abused GoDaddy, offer two-factor authentication. Using it will ensure that even if admin credentials are compromised, they can’t be used to register a new malicious domain.
To find out more about IP Space Monitoring, read Mahjoub’s blog post (linked above) — also includes an in-depth explanation of SPRank. To see the Pattern Search function in action, read the blog post by Security Researcher Chip McSweeney who used it in an experiment to find DGAs with Python.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella